PCI Final 2025 Study Guide Questions
Chip track data contains a unique chip CVV/CVC code which prevents
___________ the magnetic stripe. - Correct Answer ✔ ✔ Cloning
The PAN and expiration data in the chip can be used for fraudulent
card-not-present transactions...T or F? - Correct Answer ✔ ✔
True
4 levels a Compensating Control must meet - Correct Answer ✔ ✔
-Meet Intent and Rigor or original requirement
-Offset the risk the prior PCI requirement was to mitigate
-Above and Beyond
-Be commensurate with additional risk imposed by not adhering to
original requirement"
,What one of two conditions must be met to allow for the
consideration of Compensating Control? - Correct Answer ✔ ✔ -
Legitimate Technical Constraint
-Documented Business Constraint"
The PCI DSS follows a defined ______________ lifecycle. - Correct
Answer ✔ ✔ 36 month
Acquirer provides the following services - Correct Answer ✔ ✔ -
authorization services to a merchant
-clearing services to a merchant
-settlement services to a merchant
What pre-assessment activities should an assessor consider when
preparing for an assessment?
(choose all that apply) - Correct Answer ✔ ✔ -Consider size and
complexity of the environment to be assessed
, -Identify types of system components and location(s) of facilities to be
reviewed
-Ensure assessor(s) has competent knowledge of the technologies
being assessed
When should cryptographic keys be changed? - Correct Answer ✔
✔ At the end of their defined cryptoperiod
When is it OK for a merchant to store the CVV2/CVS2 value? - Correct
Answer ✔ ✔ Temporarily before a transaction is authorized by
the acquirer
Which words in the right order complete this sentence? In a four-
party model, a merchant transaction flows from the merchant to the
_______, then the _______________ and finally to the _______. -
Correct Answer ✔ ✔ Acquirer, Card Brand, Issuer
Chip track data contains a unique chip CVV/CVC code which prevents
___________ the magnetic stripe. - Correct Answer ✔ ✔ Cloning
The PAN and expiration data in the chip can be used for fraudulent
card-not-present transactions...T or F? - Correct Answer ✔ ✔
True
4 levels a Compensating Control must meet - Correct Answer ✔ ✔
-Meet Intent and Rigor or original requirement
-Offset the risk the prior PCI requirement was to mitigate
-Above and Beyond
-Be commensurate with additional risk imposed by not adhering to
original requirement"
,What one of two conditions must be met to allow for the
consideration of Compensating Control? - Correct Answer ✔ ✔ -
Legitimate Technical Constraint
-Documented Business Constraint"
The PCI DSS follows a defined ______________ lifecycle. - Correct
Answer ✔ ✔ 36 month
Acquirer provides the following services - Correct Answer ✔ ✔ -
authorization services to a merchant
-clearing services to a merchant
-settlement services to a merchant
What pre-assessment activities should an assessor consider when
preparing for an assessment?
(choose all that apply) - Correct Answer ✔ ✔ -Consider size and
complexity of the environment to be assessed
, -Identify types of system components and location(s) of facilities to be
reviewed
-Ensure assessor(s) has competent knowledge of the technologies
being assessed
When should cryptographic keys be changed? - Correct Answer ✔
✔ At the end of their defined cryptoperiod
When is it OK for a merchant to store the CVV2/CVS2 value? - Correct
Answer ✔ ✔ Temporarily before a transaction is authorized by
the acquirer
Which words in the right order complete this sentence? In a four-
party model, a merchant transaction flows from the merchant to the
_______, then the _______________ and finally to the _______. -
Correct Answer ✔ ✔ Acquirer, Card Brand, Issuer
